Ventoy is a tool to make a USB with multiple ISOs bootable, letting you select which ISO to use on boot. Another newly-created account claims to be the dev’s friend and translator and has received no contact from the maintainer.
Nobody knows who responded here. Don’t spread rumors.
I thought it was clear from the details that it was suspicious. Edited.
Things are suspicious but you still spread gossip and maybe lies.
My name is Linus torvalds and this is why I TempleOS…
so ive deep dived into as much information as i can find. the TLDR is the main dev LongPanda supposedly went on a vacation to china (most likely his home country?) to which there is conflicting information on his return. one path is he make a lemmy account 9hours ago and made a message that doesn’t describe the blob and sound like a gpt response. to which his "irl friend made an account 3 hours ago to comment that he hasnt heard from LongPanda in months. both were removed from lemmy.ml because of suspected impersonation. the other side of the coin is the LongPanda is still gone and hasn’t addressed the blobs. after looking thought the documentation, you can build from source. in the instructions it says "5. Binaries
There some binaries in Ventoy install package. These files are downloaded from other open source project’s website, such as busybox."
i am not a programer but in the source build it lists the blobs and were there from supposedly from other FOSS projects with sha256’s. so theoretically you should be able to verify the blobs, with the sha256.
https://github.com/ventoy/Ventoy/blob/master/DOC/BuildVentoyFromSource.txt
I like Ventoy, it’s handy but I don’t think it’s indispensable so probably what I’ll do is go back to using Etcher (which is open source AFAIK) until this resolves itself one way or another. I assume either the dev will respond properly with an explanation and everything will be fine, or someone will get fed up enough to fork it. I feel like it’s probably nothing nefarious, but it doesn’t really hurt to be overly cautious in this case IMO.
Ventoy’s “killer feature” is the ability to have multiple ISOs in a single drive, can Etcher do that? If so I’ll switch, if not why not just use dd?
dd can do that?
It’s deja vu all over again 😹
So can grub. Actually ventoy is built on grub
Imho it will be much easier to replace blobs with verifiably correct blobs or add the source to build them than to retroactively find the original builds from whence they came.
Searching for some of those binaries looks like it would require comparing the hash against a large set of candidates which would need to first be unpacked from releases (fedora mostly???) and hashed unless the hashes already exist somewhere.
I understand the concern raised, but unless I’m reading this wrong there is an assumption that Ventoy may be doing something untoward, but I’m not sure how at this level. It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.
Just sounds like super lazy project administration. Maybe I’m missing something?
- Around April, there was this big thing where a maintainer for XZ Compression included an SSH backdoor in binaries that were only built on release. If a freaking piece of compression software can backdoor SSH, who knows what else is possible.
- The response to the blob concern is nonsensical, made without their previously-known accounts, and coincides with someone’s claim that they are a close friend and was on vacation to China, the country where the XZ maintainer was from.
The xz issue is something totally different though. That was a software library running and executing against flat files. I’m just not sure there’s a way to alter an ISO image before boot, undetected in the case of Ventoy.
If the goal is to alter files to provide access to something, this must be some sort of ingenious way that bypasses checksums, and targets something universal, which doesn’t seem quite possible in the case of a substitute bootloader.
Yeah, it would be really big. I wouldn’t have posted about this if it weren’t for the radio silence and blabbering statement.
It can’t inject anything into the ISO files at rest without bricking then, and I don’t know if an OS that doesn’t verify it’s own image before booting.
As far as I can tell, this is not talking about ISOs installed using Ventoy, but precompiled blobs of things like Busybox that are included in the Ventoy install package. It’s an important distinction. The developer could bundle a tampered blob, include in the documentation the checksum that matches that blob, and then if someone checks with the upstream project and calls them out, say something along the lines of, “Oh, they must have withdrawn that release,” and replace it with an untampered blob. If they don’t fight to preserve the tampered blob, they might even get away with it.
The claim of the person you’re replying to is that even if the binaries were tampered, Ventoy wouldn’t be able to do anything.
Even if the original issue had anything to do with ISOs, he’s way overestimating the level of protection on many install ISOs, in my experience—they’re just disk images, and presumably all the files read off them are passing through Ventoy itself. Even if you find one that performs some kind of verification, easy enough to change a jump instruction to a no-op somewhere in the machine code guts of a file as it passes through Ventoy, and prevent the verification from executing. (The difficult part is figuring out which instruction to change, but people have done it before.)
No, I’m saying the way ISOs are written, you couldn’t just, say, inject changes via text tools or whatever like the xz attack.
I’m not aware of HOW a binary blob not knowing specifically what it was going to attack COULD attack anything in a resting and isolated state like it would be with Ventoy.
Didn’t something similar just happen with RustDesk? ChatGPT response from author in an hours old account.
On second sight, that specific response seems like a troll
I banned that one now too.
Some common threads I’m seeing with these troll accounts:
- lemmings.world
- new account
- claim to be or know the creators
- make claims about the insecurity of an open source app
- blame china in some way
Oh hell naw, I was rooting for rustdesk…
There are some random accounts that do not look like the original creator. I highly discourage from such titles like this post, because we don’t know. “Ventoy” (creator) did not respond as far as I can see.
Edit: Even if it looks legitimate, it can be impersonating to gain trust. Don’t blindly trust random people from new accounts.
In the best case, the software is unmaintained.
It is very much actively maintained other than this supposed vacation from the developer. Everything else is purely speculation and what seems to be impersonation of the dev on the fediverse.
This big issue has been open since April, and the dev has not responded, and his last commit was in early June. Yes, most of this is pure speculation, but 4 months is unmaintained.
Let’s see… Ventoy is a tool intended for sysadmins to use.
Something sketchy is going on in a tool sysadmins use when working on the crown jewels.
What could possibly go wrong? /s
Interesting context to bring up Lemmy
Edit: from the thread, it’s pretty clear those people were not the creator?
I’m not saying it was aliens, but it was aliens.
ancient aliens
I heard people raving about ventoy, i checked it out online, but blobs and chinese maintainer made it seem fishy. Even if a maintainer was legit it only takes CCP thteatening their family to get a backdoor inserted
This is ridiculous. You don’t trust “Chinese maintainers” (“even if legit” lol), because the “CCP” might threaten “their family to get a backdoor inserted”.
Absolutely unhinged level of fantasy in the context of this project. A nation of 1.4 billion people and you don’t trust anyone there to write software? You know they made your phone and pretty much everything else right? Also, the idea that “the CCP” is somehow uniquely (among governments) willing and able to coerce or commission backdoors in software is a feverishly deluded attitude.
Propaganda has put a backdoor in your brain.
We have chinese police here in Vancouver (edit Non Canadian force), if residents speak badly about CCP these “Police” show up at the door and try to coherce them back to mainland. I’m not regurgitating the articles, my friend living in vancouver had them show up. I’m not trusting blobs.
New York, DC, and LA as well. If one doesn’t want a polite knock, one doesn’t speak ill of the CCP.
Canada had investigated and started to shut sone down here. they had actual office feontbuilding setup as Chinese police station. Smaller places it was decentralized Chinese pokice. Downvoters should read the news links https://www.cbc.ca/news/canada/ottawa/rcmp-chinese-police-stations-1.6862336
Down voting for 2 reasons:
- This article is short on factual information that says what you’re implying.
- This is wholly irrelevant to Ventoy.
if you search Chinese Police Canada (or USA) there are tons of articles that are way more in depth, and describe encounters, etc.
I added that link so people don’t think I’m making it up when my friends house is getting door knocked by two CCP police.
It does not directly relate to Ventoy, it relates to why I would not trust a chinese product as we have first hand witness here in Canada of CCP harassing residents or forcing them back to china. There is that much control, even when they don’t live in China, that if CCP wanted to have widespread spying they would just pick a dev with family in the mainland.
Your phone, computer, TV, and various other electronics in your house were not made in China? You believe that your own country or mine cannot secretly compel backdoors?
deleted by creator
hey let’s not attribute racism to canadians in an act of ethnicism
Hang on, it’s racist to call out totalitarian dictatorships that put muslims in concentration camps and have secret police in other countries to enforce their draconian laws abroad on other sovereign state’s soil?
Fuck that, the chinese government is sketchy as hell, and so are you for trying to downplay the distrust said government has earned quite well as “racism.” Do you work directly for them or is it more of a 3rd party contractor situation?
deleted by creator
Yeah, sure would be if anyone had done that, but that assumption was an invention of your own not contained within the statement you replied to. “The belief” is that the Chinese government can coerce any citizens within it’s borders (and some outside it’s borders no less), stop putting words in other’s mouths yourself then.
Mmhmm “canned meme response” yes. Totally not employed to curtail criticisms of the government you’re defending, I can tell by the originality.
To play devil’s advocate, people often justify their biases with seemingly more reasonable stuff. “only good people should be trusted to breed” is eugenics even if someone made a funny movie about it.
Very true, but we can’t just not criticise a government because the people involved checks notes “aren’t white.” What would make them above criticism? In my view the only possible answer is because (and it’s usually applied to children or the mentally disabled,) “they don’t understand what they’re doing.” In my personal opinion “Nonwhite people” are just as capable as “white people” of knowing what they’re doing, as they are not by default children or mentally disabled (though they do also have both categories, and those categories should get a little more leeway). They know spying is wrong whether they’re “chinese” or “american.”
The American government is sketchy as hell too, but you aren’t here telling us not to trust American developers…
No, I do that on threads about american devs. You can’t just hand wave any criticisms of a government away with “racism” or “but whatabout this other government you also complain about?!”
I notice you haven’t told me that homophobia is bad too while you’re calling me racist, I guess that means you like homophobia? No? That’s just as ridiculous as “if you criticise one government you have to criticise them all in the same comment.” This isn’t “did you bring enough criticism for the whole class” time.
None of this should be news to anyone here, lemmy is highly privacy focused and that doesn’t go away simply because the proprietary blobs in question could be doing sketchy things for the CCP instead of the NSA, either way it’s bad to normal people who aren’t blindly allegiant to the CCP or the NSA.
Read my other reply in this thread you will see why/how CCP oversteps boundaries, and why you don’t trust blob code you can’t verify
- There’s an older comment in this thread that details how you could verify those blobs: https://sh.itjust.works/comment/14458323
- You very much implied that you shouldn’t trust all people of Chinese descent. I personally very much dislike the CCP, as a government I think they cause an immeasurable amount* of harm. However, what you are suggesting is on the same level of racism as the US government locking up all Japanese-Americans in internment camps during WWII.
- Seriously, calm down.
Nope just maintainers that I can’t verify their identity, not asians in general.
We live in a mixed bag of skin colours here, I have no issue with people…just CCP and their infiltration of their officials into Canada… that are harassing citizens and Permanent residents of chinese descent.